I just lost my server for an hour from a DOS, OSSEC noted the issues but didn't shun the IP Address. Not sure what I am doing wrong but this has been happening too much lately, twice in the last 24. Any suggestions?
[edit] I should mention there was multiple FTP attempts and lots of mail attempts from the same ip
Active Response not working
-
seriouslycr8ive
- Forum User
- Posts: 21
- Joined: Wed Jan 18, 2012 3:43 pm
- Location: Canada
Active Response not working
- Attachments
-
- these are my active response settings
- activeResponse.png (44.47 KiB) Viewed 5834 times
-
- This is a screen shot of the OSSEC logging the attacker
- server_issue.png (229.68 KiB) Viewed 5834 times
Re: Active Response not working
Verify that rule 40111 has active response set to enabled. (This is the default)
Grep the log file /var/ossec/logs/active-responses.log for occurrences of rule 40111 (or the IP of the attacker). All active responses are logged into this file. If it is logged here, but you are certain that the IP was not in fact shunned, something else is going wrong (firewall perhaps), ASL support might be able to help.
Grep the log file /var/ossec/logs/active-responses.log for occurrences of rule 40111 (or the IP of the attacker). All active responses are logged into this file. If it is logged here, but you are certain that the IP was not in fact shunned, something else is going wrong (firewall perhaps), ASL support might be able to help.
Lemonbit Internet Dedicated Server Management
-
seriouslycr8ive
- Forum User
- Posts: 21
- Joined: Wed Jan 18, 2012 3:43 pm
- Location: Canada
Re: Active Response not working
thanks, I checked and rule 40111 does have active response turned on, and I did a grep on that ip and it returned nothing. I should note, maybe it's related, my system isn't tracking attacks.
- Attachments
-
- Not tracking attacks
- attacks.png (84.39 KiB) Viewed 5815 times
-
- active response
- ar.png (44.11 KiB) Viewed 5815 times